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Digital signatures are widely used in modern communication to guarantee authenticity and trans¬ 
ferability of messages. The security of currently used classical schemes relies on computational 
assumptions. We present a quantum signature scheme that does not require trusted quantum chan¬ 
nels. We prove that it is unconditionally secure against the most general coherent attacks, and show 
that it requires the transmission of significantly fewer quantum states than previous schemes. We 
also show that the quantum channel noise threshold for our scheme is less strict than for distilling 
a secure key using quantum key distribution. This shows that “direct” quantum signature schemes 
can be preferable to signature schemes relying on secret shared keys generated using quantum key 
distribution. 


I. INTRODUCTION 

Signature schemes allow for the exchange of messages 
from one sender to multiple recipients, with the guar¬ 
antee that messages cannot be forged or tampered with. 
Additionally, messages can be transferred, and cannot be 
repudiated. Transferability means that with a probabil¬ 
ity that can be made arbitrarily close to one, if a message 
is accepted by an honest recipient, it will also be accepted 
by another recipient if forwarded. The related require¬ 
ment of non-repudiation means that, except with proba¬ 
bility that can be made arbitrarily small, a sender can¬ 
not later successfully deny having sent a signed message. 
Digital signatures are widely used for example in e-mail 
and electronic commerce, and are considered to be one of 
the most important inventions of modern cryptography. 
Unfortunately, the security of commonly used signature 
protocols relies on the assumed computational difficulty 
of certain problems. In the United States, for example, 
there are currently three approved algorithms for gener¬ 
ating digital signatures - RSA, DSA and ECDSA - all of 
which rely on the difficulty of finding discrete logarithms 
or factoring large primes. With the advent of quantum 
computers, such assumptions would no longer be valid. 
Given the importance of digital signatures, there is thus a 
strong motivation to develop practical signature schemes 
whose security is unconditional, i.e. guaranteed by the 
laws of physics, without any computational assumptions. 

Unconditionally secure “classical” signature schemes 
are possible, but need, at the very least, shared secret 
keys, and often also require a third party trusted by 
everybody (who effectively can provide each participant 
with secret information) [ll-lj . Shared secret keys can of 
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course be generated by quantum key distribution (QKD), 
so that an unconditionally secure signature scheme can 
proceed by first generating secret keys via QKD, and then 
running e.g. the protocol P2 in [^. Unconditionally se¬ 
cure “direct” quantum signature schemes proceed with¬ 
out first distilling highly secure shared secret keys M- 
It is an open question what the best unconditionally se¬ 
cure signature schemes are, with respect to the number 
of quantum transmissions required per signed bit, trust 
assumptions, requirements on communication channels, 
and so on. In this paper, we explicitly demonstrate that 
“direct” quantum signature schemes can have advantages 
over schemes relying on secret shared keys generated via 
QKD, by showing that the “direct” scheme we propose 
can tolerate more noise in the quantum channels. 

Previous quantum signature schemes [J, [6 J3 improved 
on the original Gottesman-Chuang scheme ^ by remov¬ 
ing the need for quantum memory. In these quantum sig¬ 
nature schemes, Alice encoded her signatures into quan¬ 
tum states and sent a copy to both Bob and Charlie, who 
were only able to gain partial information on the overall 
signature due to the quantum nature of the states. How¬ 
ever, the security analysis assumed authenticated quan¬ 
tum channels that did not allow eavesdropping. This 
strong and generally unrealistic assumption meant that 
a potential forger (Bob) only had access to his own copy 
of the signature states sent from Alice. In reality an ad¬ 
versarial Bob would be able to gain extra information on 
Alice’s signature through eavesdropping on the signature 
states sent from Alice to Charlie. 

Here we present a new quantum signature protocol, 
with three improvements over previous protocols. First, 
we remove all trust assumptions on the quantum chan¬ 
nels. This is crucial for actual practical use of quantum 
signature schemes. Second, instead of Alice sending the 
same signature states to Bob and Charlie, Bob and Char¬ 
lie send different states to Alice, which leads to increased 
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efRciency. This departs from the “public-key” principle in 
the earlier quantum signature schemes. Third, as already 
mentioned above, we show that in our direct quantum 
signature protocol, the noise threshold for the Alice-Bob 
and Alice-Charlie quantum channels is less strict than 
for distilling a secret key using quantum key distribution 
(QKD). 

II. THE PROTOCOL 

We outline our protocol for three parties, with a 
sender, Alice, and two receivers Bob and Charlie. Gen¬ 
eralisation to more parties is possible, but special care 
should be taken to address colluding adversaries (see e.g. 
Q). In the three-party scenario, at most one party can 
be dishonest, since two colluding dishonest parties can 
trivially cheat on the third party. In the multiparty sce¬ 
nario, the maximum number of dishonest parties will de¬ 
pend on the method of dispute resolution. If a majority 
vote is used to resolve disputes, then a majority of the 
participants must be honest. Also, transferability and 
non-repudiation become identical in a three-party sce¬ 
nario when majority vote dispute resolution is used. We 
assume that between Alice and Bob, and between Alice 
and Charlie there exists authenticated classical channels 
as well as untrusted, imperfect quantum channels. In ad¬ 
dition, Bob and Charlie share a QKD link which can be 
used to transmit classical messages in full secrecy. The 
protocol makes use of a key-generating protocol (KGP) 
performed in pairs separately by Alice-Bob and Alice- 
Charlie. The KGP uses the noisy untrusted quantum 
channels, and generates two correlated bit strings, one 
for the sender and one for the receiver. When the noise 
level is below the prescribed threshold, the Hamming dis¬ 
tance between the receiver’s string and the sender’s string 
is smaller than the Hamming distance between any string 
an eavesdropper could produce and the sender’s string. 
The KGP is further discussed below, after presenting the 
signature protocol itself. 

The quantum signature protocol has two parts, a dis¬ 
tribution stage, where the scheme is set up, and a mes¬ 
saging stage, when messages are sent and signed. The 
distribution stage involves both classical and quantum 
communication, but all communication in the messaging 
stage is classical. We show how to sign a one-bit message. 
Longer messages can be signed for example by suitably 
iterating the one-bit protocol, as in 

A. Distribution stage 

(1) For each possible future message m=0 or I, Alice 
uses the KGP to generate four different length L keys, 
where the superscript denotes the 
participant with whom she performed the KGP and the 
subscript denotes the future message, to be decided later 
by Alice. Bob holds the length L strings and 


Charlie holds the length L strings AT^, ATf. Due to the 
KGP, we know that Aq contains fewer mismatches with 
Kq than does any string produced by an eavesdropper, 
and the same applies to the other pairs of strings. 
Alice’s signature for the future message m will be 
Sigm = Essentially, what will protect against 

forging is that only Alice knows a valid signature for a 
message m. 

(2) For each future message. Bob and Charlie symmetrise 
their keys by choosing half of the bit values in their 
K^, and sending them (as well as the corresponding 
positions) to the other participant using the Bob-Charlie 
secret classical channel. As explained below, this ensures 
that Alice cannot make Bob and Charlie disagree on the 
validity of a signature if a message is forwarded from Bob 
to Charlie or vice versa in the messaging stage. If Bob (or 
Charlie) chooses to forward an element of (or K^) in 
the distribution stage, he will not further use it to check 
the validity of a signature. They will only use the bits 
they did not forward and those received from the other 
participant M- We denote their symmetrised keys by 
and S^, with the superscript indicating whether the 
key is held by Bob or Charlie. Bob (and Charlie) will 
keep a record of whether an element in ( S^) came 
directly from Alice or whether it was forwarded to him 
by Charlie (or Bob). 

At this point in the protocol, Bob’s and Charlie’s sym¬ 
metrised strings each contain half of and half of K^. 
For each future possible message to. Bob and Charlie each 
have a bit string of length L, and Alice has no information 
on whether it is Bob’s or Charlie’s that contains 
a particular element of the string which has 

length 2L. This protects against repudiation. Bob has 
access to all of and half of K^, but, even if he is 
dishonest, he does not know the half of that Charlie 
chose to keep. This protects against forging by Bob (and 
similarly for forging by Charlie). 


B. Messaging stage 

(1) To send a signed one-bit message to, Alice sends 
{m, Sigm) to the desired recipient (say Bob). 

(2) Bob checks whether (to, Sigm) matches his Sm 
and records the number of mismatches he finds. He 
separately checks the part of his key received directly 
from Alice and the part of the key received from Charlie. 
If there are fewer than Sa{L/2) mismatches in both 
halves of the key, where Sa < 1/2 is a small threshold 
determined by the parameters and the desired security 
level of the protocol, then Bob accepts the message. 

(3) To forward the message to Charlie, Bob forwards the 
pair (to, Sigm) that he received from Alice. 

(4) Charlie tests for mismatches in the same way, but 
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in order to protect against repudiation by Alice he uses 
a different threshold. Charlie accepts the forwarded 
message if the number of mismatches in both halves of 
his key is below s„(L/ 2 ) where Sy is another threshold, 
with 0 < Sa < < 1/2. That the recipients have 

to use different thresholds or acceptance criteria for 
messages received directly from the sender and for 
forwarded messages is a general and necessary feature 
of unconditionally secure signature schemes [1,Q. More 
generally in a multiparty situation, thresholds depend 
on how many times a message has been forwarded, and 
the level of mismatches will determine how many times 
a message can subsequently be forwarded. 


III. KEY GENERATION PROTOCOL 


We now describe how two parties, for now called Alice 
and Bob, perform the KGP. Essentially, Alice and Bob 
perform the quantum part of QKD to generate raw keys, 
but do not proceed to error correction or privacy ampli¬ 
fication. This means that Alice and Bob will generate 
different (but correlated) strings that are not entirely se¬ 
cret. These keys will be the Af, described above. 
Even though the KGP builds on QKD, the security anal¬ 
ysis for the KGP does not follow directly from the secu¬ 
rity of the QKD protocol. This is because the goal of an 
adversary in the signature protocol is different from that 
of an eavesdropper in QKD. Eor the signature protocol, 
what matters is the number of mismatches with a recip¬ 
ient’s key; for QKD, what matters is the information an 
eavesdropper can hold about the key. From the bound 
on an eavesdropper’s min-entropy in QKD, we show how 
to bound the number of mismatches a forger in our sig¬ 
nature protocol can achieve. Our aim is to show that 
d{Af ,Kf) < d(i?guess, ATj®) except with negligible prob¬ 
ability, where d{.,.) is the Hamming distance and Eguess 
is Eve’s attempt at guessing (and it may be that 
Eve is Gharlie). In addition to proving the security of 
the KGP itself, the security of the signature protocol (in 
which the KGP is used as a subprotocol) will be proven 
below in Sec. IlYl 

In what follows, the underlying QKD protocol upon 
which the KGP is built will be the prepare-and-measure 
decoy-state BB84 protocol using weak coherent pulses, 
described in EH- Apart from the post-processing, an¬ 
other difference is that here it is Bob who prepares the 
states and sends them along the quantum channel to Al¬ 
ice. This may not be necessary, but simplihes the security 
analysis in that a dishonest Alice cannot send the recipi¬ 
ents Bob and Gharlie entangled states. Specifically, when 
the KGP is performed by Bob and Alice, we assume that 
Bob has a phase-randomised source of coherent states. 
The intensity of each light pulse is chosen by Bob to be 
either mi, U 2 , or where Ui > U 2 > M 3 . The inten¬ 
sities are chosen with probabilities {Pm,Pu 2 ^ Pus)■ As in 
111 , we use all intensity levels for key generation. To 


encode information, Bob randomly selects one of four 
possible polarisation states - \Qz),\^z) {Z basis) and 
|0x) = I/\/ 2 (| 02 ) -I- |lz)), |lx) = I/v^(|0z) - \lz)) {X 
basis). The X and Z bases are chosen with probabil¬ 
ities px > 1/2 and pz = 1 — Pz < 1/2 respectively. 
The asymmetric probabilities for the two bases increases 
the efficiency of the protocol [l^. Intensities and states 
are chosen independently by Bob to avoid correlations 
between intensity and information encoding. Alice also 
independently chooses the X and Z measurement bases 
with probabilities px and pz respectively. 

For each state sent by Bob, Alice obtains one of four 
possible outcomes {O,l,0,(i} where 0 and 1 are the bit 
values, 0 represents no detection and d is a double click 
event. In the case of double clicks, Alice randomly 
chooses a bit value. Alice and Bob then announce their 
basis and intensity choices over an authenticated classi¬ 
cal channel. If states are transmitted and then measured 
in different bases, or if there is no detection, they are 
discarded (sifting). The protocol is continued until a suf¬ 
ficient number of measurement outcomes have been ob¬ 
tained for each basis and intensity choice. A raw key is 
generated by choosing a random sample of size L -\- k oi 
the X basis counts. The bit string generated by Bob is 
split into four parts (Vb, As^keep,forward)- Alice 
will hold corresponding strings but with the subscript B 
replaced by A. The V strings have length k and are gen¬ 
erated from X basis measurements. They are used to es¬ 
timate the correlation between Alice’s and Bob’s strings 
generated from X basis measurements, after which they 
are discarded. The Z strings are generated from Z basis 
measurements. They will be used to quantify the level 
of eavesdropping by Eve. Roughly speaking, due to the 
complementary nature of the X and Z bases, eavesdrop¬ 
ping must affect the correlations Alice and Bob would 
expect to see in their states and measurement results, 
and they can use a measure of their correlations to find 
a quantitive bound on the min-entropy the eavesdropper 
has on Bob’s X strings. The two Xb strings have length 
L/2 and together make up Bob’s key, Kf. Bob will for¬ 
ward Ab, forward to Gharlie (who could in fact be Eve) 
and will keep the other string, AB,keep, for himself. Bob 
will no longer use the bits in Ab, forward- 

It should be stressed that in signature schemes it can¬ 
not be assumed that Alice and Bob are honest. This 
is another difference from standard QKD. However, as 
explained below, neither of them gain from dishonesty 
during the KGP, and therefore we can assume that they 
behave honestly during the KGP stage. 

In what follows we will consider the finite case, that is, 
a finite number of states are sent and measured, with Eve 
allowed to perform the most general attack permissible 
by quantum mechanics - so-called “coherent” attacks. 
This means that Eve can perform entangling operations 
on any/all states sent over the quantum channel, and at 
any later time make a general measurement on an ancilla 
system kept in quantum memory. 

Our strategy will be to find Eve’s information in terms 
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of her smooth min-entropy, and use that to bound the 
probability that she can make a signature declaration 
containing fewer than a certain number of errors. To be¬ 
gin with then, we must find Eve’s smooth min-entropy on 
Bob’s key XB,keep- We follow m and find Eve’s smooth 
min-entropy in the same manner as for decoy state QKD, 
with the only difference being that here, Bob gives the 
extra information Xb, forward to Eve. However, since Bob 
does not subsequently use this part of the key, this can 
be treated in the same manner as is done for the V string 
sacrificed for parameter estimation, as detailed more ex¬ 
plicitly in Proposition 6 of [l^. Essentially, Eve’s smooth 
min-entropy on XB,keep can be found using entropic un¬ 
certainty relations based on the level of correlation be¬ 
tween Zb and Za- Eor ease of notation, we will simply 
write X instead of >^B,keep, and we will denote its length 
by n. Eve also gains information from the classical com¬ 
munication between Alice and Bob, which is assumed to 
be public but authenticated. The classical random vari¬ 
ables V, 0" and Xb, forward represent the information 
gained by Eve from parameter estimation, basis declara¬ 
tions in the sifting step and, if Eve is Charlie, the for¬ 
warding of A'b, forward by Bob, respectively. 

We gather all of Eve’s information into one quantum 
system living in the Hilbert space TLe- This comprises 
the space containing Eve’s ancilla quantum system fol¬ 
lowing her coherent attack, T-Ie', as well as the spaces 
containing the states encoding the strings V, O", and 
Ab, forward, which we assume are known to Eve. As in 
Appendix B of m , we find 

^min(A|E) ^ Q + SxA ~ , (1) 

Where the inequality holds up to a small additive term 
proportional to log(l/e). Here o and i are the num¬ 
ber of pulses reaching Alice which come from 0- and 1- 
photon pulses respectively, and which make up the entries 
in the string X. (px i is the phase error rate in X ba¬ 
sis measurements coming from single-photon pulses. The 
superscripts U and L represent worst-case scenario esti¬ 
mates consistent with parameter estimation performed 
on a finite sample (see Appendix [^l ■ 

Now the question is, given Eve’s smooth min-entropy, 
is it possible to bound the number of errors she is likely 
to make when guessing Bob’s key? 

Proposition 1. Suppose that Boh and Eve share the 
state pxE where, as above, X is the n-bit string repre¬ 
senting the part of Bob’s key that is not forwarded to 
Charlie/Eve, and E is the correlated quantum system 
held by Eve, including all information gained from classi¬ 
cal communications. Then, for any eavesdropping strat¬ 
egy, Eve’s average probability of making at most r mis¬ 
takes when guessing X can be bounded as 

Will <2) 

The proof of this proposition is given in Appendix IbI 
We can further use Markov’s inequality to say that for 


any a > 0, 

P(Eve makes fewer than r mistakes) '■= Pr < a (3) 


except with probability at most 


(4) 

Where 6)) := (fc) large n, we have 6)) ~ 

2 ^h(rjn) ^ So we have found a bound on the probability 
of Eve making fewer than r mistakes in terms of her 
smooth min-entropy. Using this, as well as © for the 
min-entropy, we find 


1 

cf = - 




(5) 


where , := Sx i/n is the lower bound on the count 
rate for X basis pulses containing i photons. The equa¬ 
tion above should technically have an approximation sign 
rather than an equality since we have used the approx¬ 
imate bound on the min-entropy from Eq. ([I}. It can 
be made exact by including the terms proportional to 
log(l/e) in the min-entropy, however, for simplicity we 
have neglected such terms in the main body of the pa¬ 
per. The condition 


ci.o + cli[l - H(t>x,i)] - h{r/n) > 0 (6) 


determines whether or not Eve is able to make fewer than 
r errors with non-negligible probability. If the condition 
holds, n can be increased to make Eve’s probability of 
making fewer than r errors arbitrarily small. We define 
Pb by the equation 

Cx,o + Cx,i[l ~ ~ Hpe) = 0. (7) 

The meaning of this is that pe is the minimum rate at 
which Eve can make errors (except with negligible prob¬ 
ability). Suppose the error rate on X basis measurements 
between Alice and Bob is upper bounded as . As long 
as Pb > Cx, there exists a choice of parameters and a suf¬ 
ficiently large signature length which makes the protocol 
secure (see Section [TVT) . Equivalently, QDS is possible as 
long as 


Cx,o + Cx,i[l ~ H^x,i)] ~ > 0- (8) 


IV. SECURITY ANALYSIS 

We will now prove the security of the main signature 
protocol, i.e. the robustness (probability of an honest 
run aborting), security against forging (probability that 
a recipient generates a signature, not originating from 
Alice, that is accepted as authentic) and repudiation (or 
transferability) (probability that Alice generates a signa¬ 
ture that is accepted by Bob but then when forwarded, 
is rejected by Charlie). In what follows, we assume that 
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Alice-Bob and Alice-Charlie have each used the KGP to 
generate length L bit strings to use in the QDS protocol 
described above. 

(a) Robustness. Bob rejects a signed message if the 
L/2 bits received from either Alice or Charlie have a mis¬ 
match rate higher than Sa with Alice’s signature. From 
parameter estimation performed on the strings Va,Vb 
( whose length we denote by k), Alice and Bob obtain an 
estimate of the error rate they have with respect to each 
other, for the strings they generated in the X basis. We 
denote the observed error rate by ex- Using the Serfling 
inequality 0 , we can bound the actual error rate be¬ 
tween the strings X^i^keep and ^_B,keep (which we denote 
as ex) by 

ex < ex + S := ex, (9) 

where 

This bound holds except with probability epE- It can 
be seen that for any fixed choice of S, the failure proba¬ 
bility epE decays exponentially fast in the parameter k. 
Let e^ g, e^ Q t>e the worst-case error rates Alice has 
from performing separate KGP’s with Bob and Charlie 
respectively. Set := max{e^ and choose Sa 

such that Sa > e^. The Serfling inequality tells us that 
the true error rate between Alice’s and Bob’s keys will 
be less than except with probability at most epE, so 
the probability of an honest abort is simply 

P(Honest Abort) < 2epE, (11) 

where the factor of 2 occurs since the abort can be due to 
either the states received from Alice or the states received 
from Charlie. 

(b) Security against forging. It is easier for either Bob 
or Charlie to forge than for any other external party, and 
we will therefore consider forging by an internal party. 
In order to forge a message. Bob must give a decla¬ 
ration (m,Sigm) to Charlie that has fewer than SyLl2 
mismatches with the unknown (to Bob) half of sent 
directly from Alice to Charlie, and fewer than s„L/2 mis¬ 
matches with the half he himself forwarded to Charlie. 
An adversarial Bob will obviously be able to meet the 
threshold on the part he forwarded to Charlie. We there¬ 
fore consider only the unknown half that was received 
directly from Alice. If parameter estimation is successful 
in the KGP, then we know the worst-case (maximum) 
rate at which Alice will make errors with Charlie’s key; 
we denote it by . From Eq. ([7|) , we also know the min¬ 
imum rate at which Bob will make errors with Charlie’s 
key; we denote it by 

Assuming (jS]) holds, we choose such that e^ < Sy < 
Pe- In this case, Charlie will likely accept a legitimate 
signature sent by Alice, since the upper bound on their 
error rate, e^, is less than the threshold s„. On the other 


hand, Charlie will likely reject any dishonest signature 
declaration by Bob, since the probability of Bob finding 
a signature with an error rate smaller than is restricted 
by equations m and dSI) as 


P(Eve makes fewer than s„L/2 errors) := Ps l /2 < « 

( 12 ) 

except with probability at most 


ep ■= - 
a 




(13) 


Let us suppose that if any of the parameter estimation 
procedures fail (so for example if is not a good upper 
bound), or if Ps„L /2 ^ o,, then Bob is able to successfully 
forge with certainty. We are then able to bound Bob’s 
probability of successfully forging as 


P(Eorge) < a-I-C l + SepL. (14) 

This equation is valid for any choice oi a, e,epE > 0 and 
so can be made arbitrarily small by increasing L. The 
addition of Scpe is to account for the possibility of the 
upper/lower bounds failing on any of the ex, Sx,o,Sx,i 
or (j)x,i (see Appendix lAT) . Note that security against an 
adversarial Bob derives entirely from the Alice-Charlie 
KGP, in which Bob is already assumed to be an adver¬ 
sary. Thus, any dishonesty on Bob’s part during the 
Alice-Bob KGP cannot help him to forge. Exactly the 
same arguments apply when Charlie is the forger. 

(c) Security against repudiation. Alice aims to send a 
declaration (to, Sigm) which Bob will accept and, when 
forwarded, Charlie will reject. To do this, we must have 
that Bob accepts both the elements that Alice sent di¬ 
rectly to him and the elements that Charlie forwarded 
to him. In order for Charlie to reject he needs only re¬ 
ject one of either the elements he received from Alice, or 
the elements Bob forwarded to him. Intuitively, security 
against repudiation follows because of the symmetrisa- 
tion performed by Bob and Charlie using the secret clas¬ 
sical channel. Even if Alice knows and can control the 
error rates between A^, and K^, she cannot 
control whether the errors end up with Bob or Charlie. 
After symmetrisation, the keys S^ and S^ will each have 
the same expected number of errors. To repudiate, one 
must contain si gnifi cantly more errors than the other. 
Using results in [l6|, we can bound this probability as 


P(Repudiation) < 2 exp 




(15) 


For a more formal proof, please see Appendix [C] Note 
that security against repudiation derives entirely from 
the symmetrisation performed by Bob and Charlie, in 
which Alice plays no part. Even if Alice can control the 
choices of Sa, s„ by manipulating the error rates achieved 
during the Alice-Bob KGP and the Alice-Charlie KGP, 
the choice of L depends on Sa and s„ and the protocol 
will be secure for any valid choice. 
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V. COMPARISON TO QKD 


For the BB84 protocol performed using decoy states 
as described above, with a finite number of states sent 
and received, Appendix B of gives the length of the 
extractable secret key as 


I = 


sx.o + sx,i [1 - H(l^x,i)] - ^EC - log-^ 

L ecor(oi2a3Ey 

4,0 + Sx,l [1 - H^X,l)] - ^EC, 

(16) 


where tear and v are constants related to the possibility 
of failure of error correction and privacy amplification. 
The term \ec represents the information leaked to Eve 
during error correction. It depends on the specific im¬ 
plementation, but must be greater or equal to n/i(e^), 
where n is the size of the bit string being corrected. In 
practice, error correction will not be perfect and it is com¬ 
mon to write \ec = nfEchi^x) where fEC is a leakage 
parameter. To perform error correction, the total key 
is split into blocks and the leakage parameter, Jec^ de¬ 
pends on this block size, but not the overall length of the 
key. Increasing the block size reduces Jec at the cost of 
decreasing the efficiency of the error correction protocol. 
Estimates of Jec for practically feasible error correction 
is an area of active research |I7j| . though it is commonly 
estimated to be in the range 1.11 — 1.2, regardless of the 
length of the total key being distilled. For example, fl^ 
assumes Jec = 1-2 based on the performance of error- 
correcting codes in use at ID Quantique. Rewriting dT51) , 
we obtain 


I Ri n {cx^o + Cx^i [l — /i(4,i)] ~ fEch{e^)"\ . (17) 

Comparing equations (|8]) and (113, we immediately see 
that there are Alice-Bob and Alice-Charlie quantum 
channels for which quantum signatures are possible and 
yet practical QKD gives a zero key generation rate. As 
stated above, Jec is independent of n and so cannot be 
decreased by simply increasing the size of the total key. 
The important point is that because the quantum signa¬ 
ture scheme omits the inefficient process of error correc¬ 
tion, there should always be some region where quantum 
signature generation is possible but QKD is not. 


signature needed to sign a message. To facilitate com¬ 
parison to previous quantum signature protocols, sup¬ 
pose one wants the probabilities in (fTTl) . (ITT)) - (ITSl) to all 
be below 10“^. Using realistic experimental quantities 
(taken from 0), we estimate that a signature length of 
L = 7.71 X 10^ (for each of the possible one-bit messages 0 
and 1) is required to securely sign a one-bit message, sent 
over a distance of 50 km. This would require Bob/Charlie 
to transmit approximately 6.3 x 10® quantum states (per 
bit to be signed) to Alice during their KGP’s (see Ap¬ 
pendix [D| . We compare this to previous quantum signa¬ 
ture protocols which required 0(10^°) states to be trans¬ 
mitted to achieve the same level of security over 1 km 
0 . 

The increase in efficiency is largely due to the fact 
that in our protocol Bob and Charlie send Alice differ¬ 
ent states, whereas in previous protocols Alice sent Bob 
and Charlie the same signature states. In those proto¬ 
cols, even without any eavesdropping, a potential forger 
has access to a legitimate copy of each of the states Al¬ 
ice sent to the participants, and thus to reach the same 
levels of security requires longer signatures. Moreover, 
when generalising to N participants with up to t dishon¬ 
est parties, potentially colluding forgers are even more 
powerful, since they may have t legitimate copies of each 
state. In our protocol, where different states are sent 
by each participant, this problem is evaded. The only 
source of information for a potential forger is by eaves¬ 
dropping on the quantum channels, an activity not even 
considered in previous protocols due to the assumption 
of “authenticated” quantum channels. 

We also showed that the noise threshold in the quan¬ 
tum channels connecting Alice-Bob and Alice-Charlie is 
in practice less strict for quantum signatures than for 
distilling a secret key using QKD. For some quantum 
channels, therefore, quantum signature protocols that 
use QKD (e.g. P2 of Q) are not possible, while our direct 
quantum protocol remains possible. This is an example 
that direct quantum protocols are sometimes preferable 
to protocols relying on secret shared keys generated using 
standard QKD, and highlights that quantum signature 
protocols are not in general merely a direct combination 
of QKD protocols and classical post-processing. 
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Appendix A: Finite-size estimates 

Equation o contains three quantities to estimate ~ 
Q and ^; which are estimates of the number of 
counts (sent and measured in the X basis) containing 
zero and one photon respectively; and ^ which is an 
estimate of the phase error rate in the X basis counts. 

As in m , we have 


Sx.O ^ -- 

U2-U3 \ Pus Pu2 

where n'^ is the number of counts (from states sent 
and measured in the X basis) coming from pulses with 
intensity Uk, and := This for¬ 

mula is valid in the asymptotic limit where the number 
of counts will be equal to the expected value. In the finite 
setting, we cannot know with certainty the actual value 
of n*x u^ ■ This is because once the raw key is generated, 
we randomly choose a finite sample of L -|- fc states from 
X basis counts. Nevertheless we are able to bound n’t „ 
from above and below with high probability using the 
statistics observed in parameter estimation. Specifically, 
if nx 11.L. are the observed statistics, Hoeffdings inequali¬ 
ties [l3 give 



- S{L + k, epe) < n*x^u^ 

^x,uk ■= '^x,uu + 5{L + k, epe) > n*x^uu ■ 

These bounds hold wit h probability at least 1 — epe, 
where S{nx,£pE) ■= \J'nx ln(l/en£;)/2. Replacing the 
n*x,uk in Eq. dH]) by the corresponding worst-case finite- 
size estimate leads to a finite-size lower bound on sx.o^ 
which we call ^nd which holds with probability at 
least 1 — 2 epe- 

Similarly, we can bound Sx 1 as 


Mi(u 2 - U3 ) - (m| 

ul - nj / gx,o 
uj \ To 


'-X.U2 


Pu2 


Pui ) 


n 


+ 


Pu^ 


(A3) 


The X basis phase errors are not directly observed in 
the protocol. Instead, we relate to the bit error rate 
in the Z basis. As in Appendix B of m , we have 


^x.i ^ 


■'z.i 


’z.i 


z,l L L 

'ai, -p-^Sz^i.Sxp 


(A4) 


where ^ is the upper bound on the number of bit errors 
in Z basis counts coming from single photon pulses, and 


7(a,6,c, d) 


(c -I- d)(I — b)b 
cd In 2 


log 


cd(l — b)b a? 


(A5) 


where oicomes from the calculation of the min-entropy 
given in [^, and is such that ai > 0, e > 2 q:i - 1-02 + 03. 
Here e is the smoothing parameter in the smooth min- 
entropy. 

All quantities on the right hand side of Eq. (IA4I) are 
known, except 1 which we can hnd as 


V 


u 

z.l 


< 


Tl 

U 2 - U 3 


m 


+ 

Z,U 2 


PU2 


^""^Z,us \ 
Pus j ’ 


(A6) 


where the are the upper and lower bounds on the 

true number of bit errors from Z basis counts of inten¬ 
sity Uk- These are found from the observed number plus 
finite-size variations, similar to Eq. (IA2I) . 


Appendix B: Proof of Proposition 1 

In order to guess X making fewer than r errors. Eve 
will perform some optimal measurement on her system 
E and from that gain a classical outcome F which is 
her guess for X. This transforms pxE to the classical 
state TxF which can be represented by the probability 
distribution Pxf- Erom the data processing inequality 
[2l[ we have 


HX^[X\E)p < HX^{X\F)p. (Bl) 

We now use the following lemma, similar to Lemma 
3.1.12 from 

Lemma 1. Let txf be a classical state. Then the max¬ 
imisation in the smooth min entropy, 

'^mm(^|E)r ■ _ max HuainirXF\rrF^, 

rap 

is achieved for a classical txf cind a classical ap- Note 
that the supremum over a is over all density matrices 
with trace 1. 

Proof. To prove this, we will show that for any t'xe S 
B'^{txf) and a'p, there exists a classical txf S B’^{txf) 
and a classical ap such that 

Hmin{TXF\o'F) + Hmin{T x f\^ f) ■ 

To do this, define S := £xf, the projective measurement 
in the XF basis. Choose txf ■= £{t'xf) and ap ■= 
£f{<t'p), where is the projective measurement in the 
F basis. Since £f is a CPTP map, ap still has unit trace. 
Also, we have 

\\txf — txf\\i = \\£^'xf~'^xf)\\i < \\t'xf~'''xf\\i < e, 

where the hrst equality follows from the definition of £ 
and because txf is classical. The first inequality follows 
because the trace distance can only decrease under CPTP 
maps, and the second inequality follows because t'xe £ 
B'^{txf). This shows that txf G B^{txf). 






















Now we use lemma 3.1.12 from [2^ to say that 
Hmin{TXF\o'F) ^ f\'^f) 

is true if 

Ijf 0 CTiJ’ - S{lx ® cr'p) > 0. 

Plugging in the definition of £ we find 

\x ® O'F — £xf{^X = ^X ® O-F — ^X ® <yF = 0, 

where we have used that £xf = £x ® £f when applied 
to product states. □ 

This lemma means that 

Ht^,^{X\F)p = H^UX\F)p. (B2) 

for some classical (possibly unnormalised) probability 
distribution P'xp- To start with, let us assume that fol¬ 
lowing Eve’s optimal strategy, her guess, F, is jointly 
distributed with X according to P'xf- i&ct, they will 
be distributed according to some unknown probability 
distribution Pxf, but P'xp is e-close to Pxf in terms 
of Li (or trace) distance. Note that the trace distance 
makes sense even for unnormalised distributions. 

Let us introduce the notation 



Sl = {x' €X-.d{x,x')<r}, (B4) 

where d is the Hamming distance. Under the distribu¬ 
tion PxF^ Eve’s average “probability” (note again that 
P' may not be normalised, but we will relate it to the nor¬ 
malised probability distribution P) of making at most r 
mistakes, {pr)p', can be bounded as 


{pr)p, ='^P^{f) max Px\F=fi^') 
f “ 

/ " (B5) 

= bnY ^^^^Px\F=fi^) 

/ 

i^r^-H„,.^{X\F)p, 

where P'p is the marginal distribution of P'xp and the 
last inequality follows from the definition of min-entropy 
on classical systems [^ . 

Now, in fact the distribution shared by Bob and Eve 
following Eve’s optimal strategy is not Pxf^ Pxf 
where Pxf is e-close to Pxf- We can use the above 
bound on (pr)p' to get a bound for {pr)p as follows. 


(Pr)p' 


^P),(/)max Y Px\F=fi^') 
I “ 


^P^(/)max ^ 


P'xpi^'^ /) 

P'pif) 


^max Y Pxpix'J). 
f "" ^'esj 


(B6) 


Let / G {/i, /2, ■•■} and let cc' and Xi be such that 

PxF{x',fi)= Y Pxpixji), (B7) 

x'gS'^ 


max Y PxF{x',fi)= Y PxF{x,fi), (B8) 

ai'GSJ 

I.e. x' and Xi specify the sets, 5”, which maximise the 
sum in the last equality of (jB6p for distributions Pxf 
and Pxf respectively. Continuing from (IB6I) we have 

(pr)p'=Y X! PxFi^Ji) 

i xGSY 

^ Y1 PxFi^^fi) 

> X! PxF(x,fi) 

y i xgS'^. 

= {pr)p - e. 

So, following her optimal strategy, we can bound Eve’s 
average probability of making fewer than r mistakes when 
guessing the bit values of X as 

{pr)p < {pr)p' + e 

< -h e (BIO) 

where we have used Hrmn{X\F)pi = F[^^^{X\F)p > 



Appendix C: Security against repudiation 

Alice aims to send a declaration (m, Sigm) which Bob 
will accept and which Charlie will reject. For this to 
happen. Bob must accept both the elements that Alice 
sent directly to him, and the elements that Charlie 
forwarded to him. In order for Charlie to reject he 
need only reject either the elements he received from 
Alice, or the elements Bob forwarded to him (or both). 
Intuitively, security against repudiation follows because 
of the symmetrisation performed by Bob and Charlie 
using the secret classical channel. In the distribution 
stage, to send the future message to, Alice will use the 
KGP with Bob and Charlie so that they hold the strings 
(6i,..., 6 l) and (ci,..., cl) respectively. We give Alice full 
power and assume that later on, in the messaging stage, 
she is able to fully control the number of mismatches 
her signature declaration contains with (6 i,...,6l) 
and ( ci ,..., cl ). Call the mismatch rates ep and ec 
respectively. Now, the symmetrisation process means 
that Bob and Charlie will randomly (and unknown to 
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Alice) receive L/2 elements of the each other’s strings. 
We aim to show that any choice of ec,eB leads to an 
exponentially decaying probability of repudiation. 

Suppose that ec > Sa- In this case, Bob is select¬ 
ing (without replacement) A/2 elements from the set 
{ci,..., Cl}, which contains exactly ecL mismatches with 
Alice’s future declaration. The number of mismatches 
Bob selects then follows a hypergeometric distribution 
H{L,ecL,L/2) with expected value ecLl2. In order to 
accept the message, Bob must select fewer than SaL/2 
errors. Using |16| we can bound the probability that 
Bob selects fewer than SaL/2 mismatches as 

P(Bob gets fewer than SaT/2 mismatches from Charlie) 

< exp[-(ec - SafL]. 

(Cl) 

To repudiate, Alice must make Bob accept the message, 
which means that Bob must accept both the part 
received from Alice and the part received from Charlie. 
Since P(A fl B) < min{P(A),P(i?)}, the probability of 
repudiation must be less than or equal to the above 
expression, and so must also decrease exponentially. 


Suppose that ec < Sa- In this case, if es > Sa, 
the above argument shows that it is highly likely that 
Bob will reject the message, so we consider only the 
case where cb < So- Consider first the set {6i,..., &i,}- 
We can use the same arguments as above to bound the 
probability of selecting more than SvL/2 mismatches as 

P(Charlie gets more than s^A/2 mismatches from Bob) 

< exp[-(s„ - cbYL], 

(C2) 


Alice succeeds if Charlie selects more than s«L/2 mis¬ 
matches from either the set {6i,...,&i} or the set 
{ ci ,..., cl }. Using P(A U B) < P(A) -|-P(i3), we can 
see that, for the choice of eB,ec < So, we have 


P(Charlie gets more than SvL(2 mismatches) 

< 2exp[-(s„ - Sa)^i]- ^ ^ 

So again, the probability of Alice successfully repudiat¬ 
ing decreases exponentially in the size of the signature. 
Similar to 0, Alice’s best strategy would be to pick 
cb = cc = ^{sv + Sq), in which case 


P(Repudiation) < 2 exp 




(C4) 


Appendix D: Calculation of the number of quantum 
transmissions required per signed bit 

1. Parameters and constraints 

The correctness and security of the protocol depends 
on the three equations (HH), (m and (iia, which in turn 


depend on the choice of parameters Sa and Sy. The pa¬ 
rameters must be such that < Sa < Sy < pe- Here, 
and in all that follows, is the maximum of the worst- 
case error rates Alice makes with Bob’s key (found from 
the Alice-Bob KGP), and the worst-case error rates Alice 
makes with Charlie’s key (found from the Alice-Charlie 
KGP). Similarly, pE is the minimum of the eavesdrop¬ 
per’s error rates found from the Alice-Bob and Alice- 
Charlie KGP. The aim is to choose the parameters that 
minimise the number of quantum transmissions required 
per signed bit. Note that the number of quantum trans¬ 
missions required per signed bit is not equal to the sig¬ 
nature length, L. In general, due to channel losses and 
parameter estimation procedures. Bob will have to trans¬ 
mit more than L quantum states to generate a signature 
of length L. 

In the next section, we will calculate the length of the 
signature and the number of quantum transmissions nec¬ 
essary to sign a message with a security level of 10“^. 
By this, we mean that the probabilities of honest abort, 
forging, and repudiation, given respectively by (HB), O 
and USD, are all less than 10 To find the length, per 
possible one-bit message 0, 1, of the signature necessary 
to securely sign a one-bit message, we must first choose 
the parameters Sa and Sy. Ideally, our choice would min¬ 
imise the total length of the signature, L. We choose to 
set epE = I0“® and 


.. = 4 + !^^^. + (Dl) 

We note here that this may not be the optimal choices of 
these parameters, however, it seems natural to choose the 
parameters in order to equally partition the gap between 
and pe- Nevertheless, more sophisticated optimisa¬ 
tion of the parameters may lead to better results. 


2. The number of quantum transmissions required 
per signed bit 

In this section, we use experimental data provided by 
[l^ to give a rough estimate of the number of states 
(per possible message bit value) Bob needs to transmit 
over a 50 km quantum channel to securely sign a one-bit 
message. We set epe = I0“® in all equations that follow. 
The experiment in [l^ approximately achieves the values 

• Source: IGHz pulse rate 

• Basis probabilities: px = 93.75%, pz = 6.25%. 

• Intensity levels: 

{ui,U2,U3) = (0.425,0.0435,0.0022). 

• Dark count rate: = 2.1 x 10“^ 

• Detector Efficiency: rjdet = 20.4% 

• Channel attenuation: 0.2dB/km 
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• Receiver loss: 2.8dB 

• Optical bit error rate: X basis Qx = 1.38%, Z 
basis Qz = 0.76% 

As in [2^, we model the detection rates for intensity 
Uk as 


= 1 - (1 - 2pd)e-“'“'' (D2) 

and the Z basis bit error rates as 

=- p -> (D3) 

and similarly for the X basis bit error rates, but using 
Qx in place of Qz- Over 50 km, the attenuation due to 
channel and detector loss is rfch = 10“^-^® = 0.0525. 77 
represents the overall transmission in the system, with 
rj = rjdetVch = 0.0107. 

If we choose intensities with probabilities = 25%, 
Pu 2 =40%andp„3 = 35%, then if Bob transmits 6.3 x 10® 
states in total, we expect the raw key to contain 8.10x 10® 
bit values from X basis measurement outcomes. Of these, 
Bob will randomly choose L/2 = 3.86x 10® to be XB.keep, 
another L/2 will be used as XBjorward and the remain¬ 
ing k = 3.86 X 10^ will be used to estimate the correlation 
between Alice and Bob’s X basis measurement outcomes. 

For the given intensity choice probabilities and error 
rates, we expect to observe an X basis bit error rate of 


2.87%. We can then use Eq. ([91) to upper bound the true 
error rate as = 4.02%. 

Using Appendix [Al and the detection/error rates given 
by m, (ID3I) above, we can calculate the min-entropy. 
Setting e = 10“^° we use ([T|) to find 

H^,^{X\E) = 1.40 X 10®, (D4) 

Using d?]) we find pe = 6.96%, and so have Sa = 4.99% 
and Sv = 5.96%. Setting also a = 10“® and putting these 
values into equations nil), dm) and (fTSl) we find 

P(Honest Abort) < 2epE = 2.00 x 10“®, (D5) 


P(Forge) < ep + a + Sepp = 1.00 x 10 (D6) 


P(Repudiation) < 2 exp — Sa)^L 

= 2.97 X 10“®. 

Thus we can see that when 6.3 x 10® states are transmit¬ 
ted, the protocol is secure to a level of 10“^. It should 
be stressed that this analysis is rough, and has not been 
optimised. 
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